A known technique is proposed in a Japanese Unexamined Patent Application Publication No. 2003-44297, in which, in order to entirely reject export of information by a user who has no access right, in an information processing apparatus, functions, such as printing, movement and copying of a file, saving a file in another name in a flexible disk, and capturing of a screen, are restricted in response to the access right of a user.
In the technique in Patent Application Publication No. 2003-44297, a request to manipulate computer resources, such as a file, a network, a storage unit, a display screen, and an external accessory, managed by an operating system is first captured by a resource management program. The resource management program having captured the request for manipulation determines whether the user has an access right to a computer resource specified in the request for manipulation. Then, as a result of the determination, when the user has an access right, the resource management program passes the request for manipulation to the operating system without change. On the other hand, when the user has no access right, the resource management program rejects the request for manipulation.
However, in the aforementioned technique, access permission to a computer resource is defined in association with a combination of a user and the computer resource. Access permission is statically defined by, for example, an administrator. Thus, in the aforementioned technique, access permission cannot be changed in response to the operating environment or operating status of an information processing apparatus. Access permission cannot be specified in response to the operating environment of an information processing apparatus, for example, environment in which an information processing apparatus is used in a safe place, such as company premises. Moreover, access permission cannot be specified in response to the operating status of an information processing apparatus, for example, status in which a USB memory is connected to an information processing apparatus.
It is an object of the present invention to provide an apparatus, a method, and a program for controlling data access by an application program via an operating system so as to provide solutions to the aforementioned problems.